CVE-2023-39219 - OpenCVE

PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Pingidentity	Pingfederate

Configuration 1 [-]

OR	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate:11.3.0:::::::*

References

Link	Resource
https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244	Release Notes
https://www.pingidentity.com/en/resources/downloads/pingfederate.html	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Ping Identity

Published: 2023-10-25T01:44:44.362Z

Updated: 2023-10-25T01:44:44.362Z

Reserved: 2023-07-25T20:13:14.871Z

Link: CVE-2023-39219

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-25T18:17:28.973

Modified: 2024-02-01T13:57:07.213

Link: CVE-2023-39219

JSON object: View

Redhat Information

No data.

CWE

CWE-400

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-39219", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "state": "PUBLISHED", "assignerShortName": "Ping Identity", "dateReserved": "2023-07-25T20:13:14.871Z", "datePublished": "2023-10-25T01:44:44.362Z", "dateUpdated": "2023-10-25T01:44:44.362Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PingFederate", "vendor": "Ping Identity", "versions": [{"lessThanOrEqual": "11.3.0", "status": "affected", "version": "11.3", "versionType": "custom"}, {"lessThanOrEqual": "11.2.6", "status": "affected", "version": "11.2.0", "versionType": "custom"}, {"lessThanOrEqual": "11.1.7", "status": "affected", "version": "11.1.0", "versionType": "custom"}, {"lessThanOrEqual": "10.3.12", "status": "affected", "version": "10.3.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests</span><br>"}], "value": "PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests\n"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2023-10-25T01:44:44.362Z"}, "references": [{"url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}, {"url": "https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244"}], "source": {"advisory": "SECADV037", "defect": ["PF-33449"], "discovery": "EXTERNAL"}, "title": "Admin Console Denial of Service via Java class enumeration", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "1580F4CC-0AE6-4ABF-8EF5-2AF53973DBC7", "versionEndIncluding": "10.3.12", "versionStartIncluding": "10.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "7122A4D7-4BFF-4AA5-876B-CA325B3A2293", "versionEndIncluding": "11.1.7", "versionStartIncluding": "11.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "116C42D0-F1AD-4C81-B17C-6114A83A091B", "versionEndIncluding": "11.2.6", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:11.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4DEF0BF-4C46-4386-8C46-3687A644A47B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests\n"}, {"lang": "es", "value": "La dependencia de la consola administrativa de PingFederate contiene una debilidad donde la consola deja de responder con solicitudes de enumeraci\u00f3n de carga de clases Java manipuladas"}], "id": "CVE-2023-39219", "lastModified": "2024-02-01T13:57:07.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}, "published": "2023-10-25T18:17:28.973", "references": [{"source": "responsible-disclosure@pingidentity.com", "tags": ["Release Notes"], "url": "https://docs.pingidentity.com/r/en-us/pingfederate-113/gyk1689105783244"}, {"source": "responsible-disclosure@pingidentity.com", "tags": ["Product"], "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}